CVE-2022-49218

26.02.2025, 07:00

In the Linux kernel, the following vulnerability has been resolved:

drm/dp: Fix OOB read when handling Post Cursor2 register

The link_status array was not large enough to read the Adjust Request
Post Cursor2 register, so remove the common helper function to avoid
an OOB read, found with a -Warray-bounds build:

drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
   59 |         return link_status[r - DP_LANE0_1_STATUS];
      |                ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
  147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
      |                                          ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Replace the only user of the helper with an open-coded fetch and decode,
similar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
linux	linux_kernel	5.5 ≤ 𝑥 < 5.17.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.12-1 fixed
sid	6.12.16-1 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/a2151490cc6c57b368d7974ffd447a8b36ade639

https://git.kernel.org/stable/c/aeaed9a9fe694f8b1462fb81e2d33298c929180b